oora AG expressly guarantees compliance with Swiss data protection regulations. oora AG undertakes to ensure state-of-the-art security for systems, programmes, etc. that it owns and over which it has influence. oora AG secures the website and associated systems against loss, destruction, access, modification or distribution of its data by unauthorised persons through appropriate technical and organisational measures.
oora AG undertakes not to pass on data about users to third parties who are not involved in the fulfilment of contracts. oora AG may pass on personal data to authorities in the UK and abroad in the context of civil, administrative and criminal proceedings, provided that there is a legally binding and enforceable judgement, order or legal obligation. Processes on the system and traffic edge data are logged by oora AG or third-party providers and stored to the extent required by law and for the statutory period.
The entity responsible for processing personal data is:
oora AG
Engelgasse 2
9000 St.Gallen
Switzerland
info@oora.ch
For requests relating to the protection of your personal data, you can contact the above address by letter, telephone or email.
We consider it our primary responsibility to maintain the confidentiality of the personal data you provide and to protect it from unauthorised access. As a private company, we are subject to the provisions of the Swiss Data Protection Act (DSG). We have taken technical and organisational measures to ensure that data protection regulations are observed both by us and by our external service providers.
The law requires that personal data be processed in good faith and proportionately. To ensure this, we inform you about the individual legal definitions that are also used in this privacy policy:
Personal data must be processed lawfully
Processing must be carried out in good faith and be proportionate.
Personal data may only be collected for a specific purpose that is recognisable to the data subject; it may only be processed in a manner that is compatible with that purpose.
It shall be destroyed or anonymised as soon as it is no longer required for the purpose of processing.
Anyone who processes personal data must ensure that it is accurate. He or she must take all reasonable measures to ensure that data which is inaccurate or incomplete in relation to the purpose for which it was obtained or processed is corrected, deleted or destroyed. The appropriateness of the measures depends in particular on the nature and scope of the processing and the risk that the processing poses to the privacy or fundamental rights of the data subjects.
If the consent of the data subject is required, this consent is only valid if it is given voluntarily for one or more specific processing operations after appropriate information has been provided.
Consent must be given explicitly for: the processing of particularly sensitive personal data; high-risk profiling by a private individual; profiling by a federal body.
Below, we provide information about the collection of personal data when using our website. Personal data includes, for example, name, address, email addresses and user behaviour. When using the website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
IP address - Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request originates
Browser
Operating system and its interface
Language and version of the browser software
After technical evaluation, this data is deleted immediately. This data collection serves to safeguard our interests in the context of striving for a correct presentation of our website offering, as well as in the interests of security and confidentiality.
We use the Cookiebot cookie consent tool to obtain effective user consent for cookies and cookie-based applications that require consent. By integrating this consent tool, users are shown a banner when they visit the website, in which they can give their consent to certain cookies and/or cookie-based applications by ticking a box. The tool blocks the setting of all cookies requiring consent until the respective user has given their consent by ticking the box. This ensures that such cookies are only set on your device if you have given your consent. In order for the cookie consent tool to clearly assign page views to individual users and to individually record and log the consent settings you have made log and store them for the duration of a session, certain user information (including the IP address) is collected by the cookie consent tool when our website is accessed, transmitted to the server of the cookie consent tool provider and stored there. This data disclosure is carried out in accordance with Art. 45c lit. b of the Swiss Telecommunications Act (hereinafter FMG). As the responsible party, we are subject to the legal obligation to make the use of technically unnecessary cookies dependent on the respective user consent.
By using our website, information (e.g. IP address) may be accessed or stored (e.g. cookies) on your end devices. This access or storage may involve further processing of personal data within the meaning of the DSG.
In addition to the aforementioned data, cookies or similar technologies such as pixels (hereinafter collectively referred to as ‘cookies’) are used on your computer when you use and visit our website. Cookies are either small databases stored by your browser on your device to store certain information, or image files such as pixels. The next time you visit our website using the same device, the information stored in cookies is then sent back to our website (‘first-party cookie’) or to another website to which the cookie belongs (‘third-party cookie’).
The stored and returned information enables the respective website to recognise that you have already visited it using the browser on your device. We use this information to optimise the website and display it according to your preferences. Only the cookie itself is identified on your device. Any further storage of personal data will only take place with your express consent or if it is absolutely necessary in order to use the service offered and accessed by you.
This website uses the following types of cookies, the scope and functionality of which are explained below:
Strictly necessary cookies (type a)
Functional and performance cookies (type b)
Cookies requiring consent (type c)
Strictly necessary cookies (type a)
Strictly necessary cookies ensure functions without which you cannot use our websites as intended. These cookies are used exclusively by us and are therefore first-party cookies. This means that all information stored in the cookies is returned to our website.
Strictly necessary cookies are used, for example, to ensure that you, as a registered user, remain logged in when accessing various subpages of our website and do not have to re-enter your login details each time you visit a new page.
The use of strictly necessary cookies on our website is possible without your consent. For this reason, strictly necessary cookies cannot be deactivated or activated individually. However, you can deactivate cookies in your browser at any time (see below).
Functional and performance cookies (type b)
Functional cookies enable our website to store information you have already entered (such as your registered name or language selection) and to offer you improved and more personalised features based on this information. These cookies collect and store only anonymised information, so they cannot track your movements on other websites.
Performance cookies collect information about how our websites are used in order to improve their appeal, content and functionality. These cookies help us, for example, to determine whether and which subpages of our website are visited and which content users are particularly interested in. Specifically, we collect the number of visits to a page, the number of subpages viewed, the time spent on our website, the order in which pages were visited, the search terms that led you to us, the country, region and, if applicable, the city from which the visit originated, as well as the proportion of mobile devices accessing our websites. We also record movements, clicks and scrolling with the computer mouse in order to understand which areas of our website are of particular interest to users. As a result, we can tailor the content of our website more specifically to the needs of our users and optimise our offering. The IP address of your computer, which is transmitted for technical reasons, is automatically anonymised and does not allow us to identify individual users.
You can object to the use of functional and performance cookies at any time by adjusting your cookie settings accordingly.
Cookies requiring consent (type c)
Cookies that are neither strictly necessary (type a) nor functional or performance cookies (type b) are only used after you have given your consent.
We reserve the right to use information obtained from an anonymous analysis of the usage behaviour of visitors to our websites by means of cookies to display specific advertising for certain of our products on our own websites. We believe that you, as a user, benefit from this because we display advertisements or content that we assume, based on your surfing behaviour, to match your interests, so that you are less likely to see randomly scattered advertisements or certain content that may be of less interest to you.
Marketing cookies come from external advertising companies (third-party cookies) and are used to collect information about the websites visited by the user in order to create targeted advertising for the user.
The processing of cookies is based on Section 45c lit. b FMG.
You can also disable cookies used for online advertising using tools developed in many countries as part of self-regulation programmes, such as the US-based
https://www.aboutads.info/choices
or the EU-based http://www.youronlinechoices.com/uk/your-ad-choicesverwalten.
Please note that you can also set your internet browser to prevent cookies from being stored on your device or to ask you each time whether you agree to cookies being set. Once cookies have been set, you can delete them at any time. You can find out how all this works in detail in your browser’s help function.
The cookies and third-party requests described above are set on your device by our website through the following services:
Google Analytics 4 (GA4)
This website uses Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’), which can be used to analyse website usage.
When using Google Analytics 4, so-called ‘cookies’ are used. Cookies are databases that are stored on your device and enable an analysis of your use of a website. The information collected by cookies about your use of the website (including the IP address transmitted by your device, truncated to the last few digits, see below) is usually transmitted to a Google server, where it is stored and processed. This may also involve the transfer of information to the servers of Google LLC, based in the USA, where the information may be further processed. GA4 also offers server-side tracking, which enables us to pseudonymise user data on our own server before transferring it to Google.
When using Google Analytics 4, the IP address transmitted by your device when using the website is automatically collected and processed in a pseudonymised manner only, so that the information collected cannot be directly linked to you as a person. If we as a company do not carry out server-side pseudonymisation, automatic pseudonymisation takes place by Google truncating the IP address transmitted by your device within Switzerland or member states of the European Union (EU) or other signatory states to the Agreement on the European Economic Area (EEA) by the last digits.
On our behalf, Google uses this and other information to evaluate your use of the website, to compile reports on your website activity and usage behaviour, and to provide us with other services related to your website and internet usage. The IP address transmitted by your device and shortened within the scope of Google Analytics 4 is not merged with other Google data. The data collected through the use of Google Analytics 4 is stored for 2 months and then deleted.
Google Analytics 4 enables us to recognise a user’s browser fingerprints, known as ‘demographic characteristics’. This allows us to evaluate information about the age, gender and interests of website users across devices based on an evaluation of interest-based advertising and with the help of third-party information. This makes it possible to identify and differentiate between user groups on the website for the purpose of optimising marketing measures for specific target groups. However, data collected via ‘demographic characteristics’ cannot be assigned to a specific person and therefore cannot be assigned to you personally. Data collected via the ‘demographic characteristics’ function is stored for two months and then deleted.
All of the processing described above, in particular the setting of Google Analytics cookies for the storage and retrieval of information on the device you use to access the website, only takes place if you have set your browser to accept cookies. Otherwise, Google Analytics 4 will not be used while you are using the website.
We have concluded a so-called order processing agreement with Google for our use of Google Analytics 4, which obliges Google to protect the data of our website users and not to pass it on to third parties.
The provider has signed the standard contractual clauses recognised by the Federal Data Protection and Information Commissioner (FDPIC) in accordance with the prevailing EU data protection regulations (https://ec.europa.eu/info/law/law-topic/data-protection/publications/standard-contractual-clauses-controllers-and-processors). Further legal information on Google Analytics 4 can be found at https://policies.google.com/privacy and at https://policies.google.com/technologies/partner-sites.
Please note that you can refuse cookies. You can deactivate them at any time in your web browse
Google Tag Manager
We use Google Tag Manager. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
The Google Tag Manager solution allows you to manage website tags for marketing purposes via an intuitive user interface. The Tag Manager is solely responsible for monitoring the triggering of tags. With regard to these specific third-party providers, corresponding explanations are available in the privacy policy. However, this information is not used by the Google Tag Manager platform. If you have set cookies to be disabled or made other adjustments, these settings will be taken into account for all tracking tags used with the help of Google Tag Manager, meaning that the tool will not make any changes to your cookie settings.
Please note that you can refuse cookies. You can disable them at any time in your web browser.
Google Marketing Platform (formerly DoubleClick)
On our website, we use the online marketing tool Google Marketing Platform from Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4.
We use the tool for marketing and optimisation purposes to display relevant and interesting ads for you and to better market ourselves externally.
Campaign Manager uses cookies that are stored locally on your device by your web browser. Google uses a cookie ID to track which ads are displayed in which web browser. This prevents ads from being displayed multiple times. Campaign Manager can also use cookie IDs to track so-called conversions related to ad requests. An example would be if you see an advert from an advertiser displayed by Campaign Manager and then visit the advertiser’s website in the same web browser.
Due to the technology used, your browser automatically establishes a direct connection to Google’s server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of Campaign Manager, Google receives information that you have accessed the corresponding part of our website or clicked on one of our advertisements. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may find out and store your IP address.
The provider has signed the standard contractual clauses recognised by the Federal Data Protection and Information Commissioner (FDPIC) in accordance with the prevailing EU data protection regulations (https://ec.europa.eu/info/law/law-topic/data-protection/publications/standard-contractual-clauses-controllers-and-processors). Further information on data use by Google, settings and objection options, and data protection can be found on the following Google website: https://policies.google.com/privacy?hl=de&gl=de
Please note that you can refuse cookies. You can deactivate them at any time in your web browser.
LinkedIn Insight Tag (Pixel)
On this page, we use LinkedIn’s Insight Tag (Pixel). This service is provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
LinkedIn’s Insight Tag provides us with information about visitors to our site. If a user is registered on LinkedIn, we can analyse the professional data (such as career level, company size, country, location, industry and job title) of visitors to our site in order to better tailor the site to the relevant target groups. In addition, we can use the LinkedIn Insight Tag to measure the activities of visitors to our website (conversion tracking). This conversion tracking can also be carried out across multiple devices used by a user. LinkedIn Insight Tag also enables a retargeting function that allows us to place targeted advertising outside the website, whereby, according to LinkedIn, the advertising recipient is not identified.
We are responsible for the operation of the site together with LinkedIn and therefore have a so-called ‘joint responsibility’ towards the user. We have concluded a corresponding agreement with LinkedIn in accordance with Art. 33 DSG.
In addition, so-called log files are collected by LinkedIn. These include, among other things, URL, referrer URL, IP address, device and browser properties, and time of access. IP addresses are truncated or (if they are used to reach LinkedIn members across devices) pseudonymised. LinkedIn deletes IP addresses of LinkedIn members after seven days. The data pseudonymised by this process is then deleted by LinkedIn within 180 days.
As the website operator, we are unable to assign the data collected in this way to individual persons. LinkedIn also uses the data obtained in this way for its own advertising purposes; it is likely that the data is stored on servers in the USA.
For details, please refer to LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.
To prevent LinkedIn from analysing your usage behaviour and to object to targeted advertising, you can do so at the following link: https://www.linkedin.com/psettings/guest-controls.
In addition, LinkedIn members have the option of controlling the use of their personal information for advertising purposes in their account settings. To avoid a link between the data collected by our website and your LinkedIn account, we recommend that you log out of your LinkedIn account before visiting our site.
Please note that you can refuse cookies. You can deactivate them at any time in your web browser.
Adobe Typekit
This site uses so-called web fonts provided by Adobe’s Typekit programme, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland, for the uniform display of fonts. When you visit a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.
For this purpose, the browser you are using must connect to the Adobe Typekit servers. This allows Adobe Typekit to know that our website has been accessed via your IP address. Adobe Typekit web fonts are used in the interest of a uniform and appealing presentation of our online offerings.
In this context, data from users may be processed on systems outside Switzerland. Data transfers abroad can be based on Art. 17 DSG.
If your browser does not support web fonts, a standard font from your computer will be used. Further information on Adobe Typekit web fonts can be found at https://typekit.com/ and in the Adobe Typekit privacy policy: https://www.adobe.com/de/privacy/policies/typekit.html
Please note that you can refuse cookies. You can deactivate them at any time in your web browser.
Vimeo
The provider of video hosting on Vimeo is: Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. A connection to the Vimeo servers is established. The Vimeo server is informed which of our pages you have visited. Vimeo also obtains your IP address. This also applies if you are not logged in to Vimeo or do not have a Vimeo account. The information collected by Vimeo is transmitted to the Vimeo server in the USA. If you are logged in to your Vimeo account, you enable Vimeo to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account.
In this context, data from users may be processed on systems outside Switzerland. Data transfers abroad can be based on Art. 17 DSG.
Further information on the handling of user data can be found in Vimeo’s privacy policy at: https://vimeo.com/features/video-privacy.
We would like to point out that you can refuse cookies. You can deactivate them at any time in your web browser.
Hotjar
This website uses the Hotjar analysis software after consent has been given. The provider is Hotjar Ltd., 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta.
By using Hotjar, we are able to analyse user behaviour on the website more accurately and further optimise it. The information collected in this process (mouse pointer movements, clicks, scroll movements) is transmitted to Hotjar in anonymised form. Information entered on our website is rendered unrecognisable before being transmitted to Hotjar. Hotjar uses this information to create reports that are made available to us for analysis and evaluation. In order to analyse users and their use of our website across pages, Hotjar stores cookies on the user’s computer.
Please note that you can refuse cookies. You can deactivate them at any time in your web browser.
Further information on data protection can be found at https://www.hotjar.com/legal/policies/privacy.
The following social networks are integrated into our website:
YouTube
We have integrated videos from the provider YouTube, Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland, into our online offering, which are stored at http://www.YouTube.com and can be played directly from our website. We have no influence on this data transfer. The purpose of the processing is marketing. If we embed videos on our website, we will implement this using the so-called two-click solution, so that the data (IP address) is only forwarded to Google when the element is active.
When you visit the website, YouTube receives the information that you have accessed the corresponding subpage of our website. This occurs regardless of whether YouTube provides a user account that you are logged in to or whether no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not want this association with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses it for advertising, market research and/or the needs-based design of the website. Such evaluation continues to take place (even for users who are not logged in) in order to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact YouTube to exercise this right.
In this context, data from users may be processed on systems outside Switzerland. Data transfers abroad can be based on Art. 17 DSG. Further information on the purpose and scope of data collection and its processing by YouTube can be found in YouTube’s privacy policy. There you will also find further information on your rights and settings options for protecting your privacy: https://policies.google.com/privacy.
Please note that you can refuse cookies. You can deactivate them at any time in your web browser. Furthermore, Google offers a number of options for objecting to the collection of personal data by Google: https://policies.google.com/privacy#infochoices
Instagram
We maintain a page on the Instagram platform, which can be accessed via a link on our website. The platform is provided by Meta Platforms Ireland Limited, Hanover Reach, 5-7 Hanover Quay, Dublin 2, Ireland.
Please note that you use this Instagram page and its functions at your own risk. This applies in particular to the use of interactive functions (e.g. commenting or rating).
When you visit our Instagram page, Instagram collects, among other things, your IP address and other information stored on your computer in the form of cookies. This information is used to provide us, as the operator of the Instagram pages, with statistical information about the use of the Instagram page.
The data collected about you in this context is processed by Instagram Inc. and may be transferred to countries outside Switzerland and the European Union. The provider Meta Platforms describes in general terms what information Instagram receives and how it is used in its privacy policy. There you will also find information about how to contact Instagram and how to set up advertising options.
Instagram does not conclusively and clearly state how it uses the data from visits to Instagram pages for its own purposes, to what extent activities on the Instagram page are assigned to individual users, how long Instagram stores this data and whether data from a visit to the Instagram page is passed on to third parties, and we do not have this information.
When you access an Instagram page, the IP address assigned to your device is transmitted to Instagram. According to Instagram, this IP address is anonymised and deleted after 90 days. Instagram also stores information about its users’ devices (for example, as part of the ‘login notification’ function); this may enable Instagram to assign IP addresses to individual users.
If you are currently logged in to Instagram as a user, a cookie with your Instagram ID is stored on your device. This enables Instagram to track that you have visited this page and how you have used it. This also applies to all other Instagram pages.
Instagram’s privacy policy is available at the following link: https://help.instagram.com/519522125107875.
If you wish to submit an enquiry via our website, it is necessary for the conclusion of the contract that you provide your personal data, which we require to process your enquiry. The information requested is mandatory for the initiation of the contract. We process the data you provide in order to process your enquiry.
If no contract is concluded, the personal data from your enquiry will be deleted within 90 days of notification that the contract has not been concluded.
The basis for this data processing is your consent.
When you contact us by e-mail or via our contact form, we will store the data you provide (your e-mail address, your name and telephone number, if applicable) in order to answer your questions. We delete the data collected in this context once it is no longer necessary to store it, e.g. once your request has been dealt with. Otherwise, processing will be restricted if there are legal retention obligations. If the contact leads to the initiation of a contract, we will process the data as described above. The basis for this data processing is your consent.
We only process your data for as long as is necessary to fulfil our contract or applicable legal provisions and to maintain our relationship with you. We will inform you of the specific storage period for the data in the respective description of the individual data processing. If you do not find any specific information on the storage period there, we are unable to specify one because it depends on various individual factors (e.g. the term of the contract, assertion of claims, etc.). In such cases, we base the storage period on the principles of data minimisation and proportionality.
Business documents are stored for a maximum of 6 and 10 years in accordance with the provisions of the German Commercial Code and the German Fiscal Code. Unless you object or revoke your consent, we will use your data to maintain and intensify our trusting business relationship for the mutual benefit of both parties. If you wish your data to be deleted, we will delete your data immediately, provided that there are no legal retention obligations that prevent deletion.
Right to information
If personal data is processed, you may request information about it and the following details at any time.
You will receive the information necessary to enable you to exercise your rights and to ensure that we process data transparently. In any case, we will provide you with the following information: information about us as the responsible body; the categories of personal data we process; the purpose for which your data is processed by us; the storage period of the personal data or, if this is not possible, the criteria for determining this period; the available information about the origin of your personal data, unless the data was collected directly from you as the data subject; where applicable, the existence of an automated individual decision-making process and the logic on which the decision is based; where applicable, the recipients or categories of recipients to whom personal data are disclosed, as well as the information referred to in Article 19(4) of the DSG
Personal data relating to health may be disclosed to you as the data subject with your consent by a healthcare professional designated by you.
If we, as the responsible body, have personal data processed by a contract processor, we are obliged to provide you with information about this.
As the responsible body, we must provide you with information free of charge. The Federal Council may provide for exceptions, particularly if the effort involved is disproportionate.
The information is usually provided within 30 days.
Right to data disclosure or transfer
As the data subject, you may request that we, as the controller, disclose your personal data that we have provided to you in a commonly used electronic format if the processing is carried out using automated means and the data is processed with the consent of the data subject or in direct connection with the conclusion or performance of a contract between the controller and the data subject.
As the data subject, you may also request that we, as the controller, transfer your personal data to another controller if the conditions set out in paragraph 1 are met, this is technically feasible and does not require a disproportionate effort.
As the controller, we must disclose or transfer the personal data free of charge. The Federal Council may provide for exceptions, in particular if the effort involved is disproportionate.
Restrictions on the right to data disclosure or transfer
As the controller, we may refuse, restrict or postpone the disclosure or transfer of personal data for the reasons set out in Article 26(1) and (2) of the FADP.
Our offer is generally aimed at adults. Persons under the age of 18 should not submit any personal data to us without the consent of their parents or legal guardians.
If sections or individual terms of this statement are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.
Protecting the company’s information and IT assets (including, but not limited to, all computers, mobile devices, network equipment, software and sensitive data) from all internal, external, intentional or accidental threats. Minimising the risks associated with theft, loss, misuse, damage or abuse of these systems.
Ensuring that information is protected from unauthorised access. Users may only access resources for which they have been expressly authorised. The assignment of rights must be strictly controlled and regularly reviewed.
Protecting the confidentiality of information. When we talk about the confidentiality of information, we are referring to protecting the information from disclosure to unauthorised parties.
Ensuring the integrity of information. The integrity of information refers to protecting information from being altered by unauthorised parties.
Ensuring the availability of information for business processes. The availability of information means ensuring that authorised parties can access the information when it is needed.
Compliance with and, where possible, exceeding national legal and regulatory requirements, standards and best practices.
Developing, maintaining and testing business continuity plans to ensure that we stay on track despite any obstacles. It’s all about ‘staying calm and carrying on!’
Raising awareness of information security by providing information security training for all employees. Security awareness and targeted training should be conducted consistently, security responsibilities should be reflected in job descriptions, and compliance with security requirements should be expected and accepted as part of our culture.
Ensure that no action is taken against an employee who discloses an information security issue through reports or direct contact with the Information Security Management Lead, unless such disclosure indicates beyond reasonable doubt illegal activity, gross negligence, or repeated intentional or wilful disregard of regulations or procedures.
Report all actual or suspected information security breaches to security@brandleadership.ch or use the form linked in POL-17 Incident Management, Appendix A.